OPNsense vs pfSense

I started trying to understand the OPNsense / pfSense split a while ago, and thought I would make a post of what I know so far.

This is still incomplete, but I thought I would post what I have so far

Non-Code Differences

Cast of Characters

• Manuel Kasper – Original m0n0wall developer
• Netgate/ESF/RCL – Corporate owner of pfSense. As far as I can tell Netgate, Rubicon Communications LLC (RCL), and Electric Sheep Fencing LP (ESF) appear to behave as one company.
• Deciso B.V. – Corporate owner/founder of OPNsense, also runs the m0n0wall site archive.

Heritage

FreeBSD → m0n0wall → pfSense → OPNsense

m0n0wall was a FreeBSD distro (for lack of a better word) for embedded systems, using PHP to replace large parts of the boot configuration and providing a web UI.

pfSense was forked from m0n0wall, and in 2013 was sold to Electric Sheep Fencing

OPNwall was forked in 2015 from pfSense by Deciso

Licence

pfSense: Apache ← ESF 6 clause ← originally BSD
OPNsense: BSD

Before the switch to the Apache Licence, the pfSense project required contributors to sign a Contributor Licence Agreement; I am not sure if this was for all code contributions, or just the “tools” repository used to build pfSense images. I haven’t found any contributor agreement for OPNsense yet.

Speedy deletion wiki says that ESF license was used in 2013, so probably right when they acquired pfSense?

Trademark Policy

Part of reason for the fork seems to have been about the “pfSense” trademark.

Netgate claims that Deciso tried to register the “pfSense” trademark in Europe to steal it from them, but I’m not knowlegeable enough about international trademark law to know whether this is what they were trying to do or not. I might try to read up about this more later.

For context, Yawarra, another appliance seller, rebranded their pfSense builds as Rident in 2014 when the needed to make some modifications and the resulting builds were not allowed to be called “pfSense”. They went back to vanilla pfSense at some point later:

Note: We are no longer creating new versions of Rident™ because pfSense® now works on our servers “out of the box”.

Whatever happened, I was curious how Deciso plans to treat the “OPNsense” trademark in comparison to ESF/Netgate/RCL with “pfSense” so I asked on the OPNsense forum:

https://forum.opnsense.org/index.php?topic=8587.0

I found the reply I got reassuring, but words are not always indicative of future action, so take it with a grain of salt. If you want to compare the listed policies yourself:

• https://opnsense.org/about/legal-notices/
• https://www.pfsense.org/trademarks.html

Also both Netgate/pfSense and Deciso/OPNsense offer a partner program, but I haven’t looked into these much yet:

• https://opnsense.org/partner-benefits/
• https://www.netgate.com/partners/

m0n0wall Archive

Manuel Kasper retired the m0n0wall project in 2015 and recommended contributors to move to OPNsense. Later it seems he handed off the old site to OPNsense/Deciso who now run the archive.

Of course some pfSense/Netgate people are suspicous of this, but Kasper’s website (and its domain is still registered to him personally) points to the OPNsense-maintained m0n0wall site without comment.

I will say that I personally find the banner recommending OPNsense on the m0n0wall site more than a bit tacky.

opnsense.com Affair

RCL/Netgate registered the domain opnsense.com and used it to slander/parody (depends on who you ask) OPNsense, who uses the opnsense.org domain. Notably, there was no disclaimer that the site was a parody, and the footer contained a deceptive copyright notice, reading: “© 2016 OPNsense”

Deciso, arguing that the site and RCL/Netgate’s use of the domain was misleading and intended only to damage their trademark (OPNSENSE), brought a case to WIPO arbitration and won the right to the domain name:

https://www.wipo.int/amc/en/domains/search/text.jsp?case=D2017-1828

Code Differences

todo

Other

Reviews/Comparisons Swamp

If you are feeling masochistic and want to look at YouTube comments reddit posts, there are plenty of instances of name calling and arguing.

At this point I’m cynical enough to not really trust anything I read, although this blog post does a nice UI comparison with screen shots and seems legitimate enough.

Prior Threads

This would be good in the wiki/how-to section.

I would be cautious about making a wiki, an edit war seems very likely. For example, almost every reddit thread on the subject has people accusing others of being fake accounts.

Making the top post editable (I assume that’s what the wiki section does) sounds like it would be very tempting for trolls.

Only for Regular and above, if I remember correctly. Makes it only editable by OP and people we really trust.

I used to think pfsense was a good product until I saw this:

pfSense - “the work required to sustain the open source project is no longer financially viable under the current business model”

Lots of really troubling comments by u/gonzopacho about how to fix the financially viable issue, which includes charging money for the software or just discontinuing the project entirely. Here is one such comment that makes me think the people at netgate dont really understand opensource. ~“open source != free” The netgate people also go on about how they are attacked everyday for interacting with the community and also being attacked for not interacting with the community.

In my opinion, the pfsense subreddit and pfsense forums has been toxic to ask any help on a bug affecting the system. If I am going to trust an open source project with the security of my network, it wont be to someone who makes things like this website (webarchive link).

Also if your going to mention the EU thing, you should also link the WIPO case.

Yeah, I wasn’t going to mention it because it doesn’t really affect my main concerns: the code licence, and communities not owning the name they use; but I can understand the stuff like that does affect your ability to trust the people shipping code to you. Especially when they excuse themselves by saying, “we didn’t make the site, we just pointed the A record to someone who did” – I should probably track down where I saw that though.

I understand, makes sense. I still have several clients who run pfsense without a problem, but my opinion of them is very tainted now because of it.

Since I saw all the comments you are talking about as it happened, I will post links:

u/gonzopacho - Which Netgate employee was it? No Netgate employee created that site.

u/gonzopacho - Is it true you put up that site and lost the case? If not, what happened? No, it’s not true that I put up that site. It’s also not true that I designed the site. As previously stated, someone in the community designed and erected the site. All I did was set an A record in DNS. Further, it’s not true that there was a ‘case’ or lawsuit. It was, literally, if you read your last link, an administrative matter.

There was also a source linking the opnsense fake website being owned by the wife of u/gonzopacho (Jim Thompson), but I cant seem to find it now. So may or may not be true. Take it with a huge grain of salt.

Hmm, it seems he deleted those, not sure why I can see them under his comment history then.Screen shot

Edit: It was also pointed out that since he set an a record, that he had to have had access to the domain to be able to do that.

If you think it make sense, go ahead.

If a future writer wants to understand my use of company names, I tried to always use Netgate (since that seems to be the common name) and whatever was explicitly mentioned. For example, the WIPO case refers to “Rubicon Communications dba Netgate of Austin” so I wrote this as RCL/Netgate. Feel free to change this if you think of something better, but I always wanted to include Netgate, so the reader could hopefully follow along.

Especially if this is turned into a Wiki, I think it would best to leave most of the reddit stuff in the Swamp section, if it is to be included at all.

For example, I tried to leave the WIPO section about the domain and trademark; the Swamp section would be the place to look if you want hunt through all sorts of posts to judge either party’s behaviour.

Agreed.

Though I would like to add, opnsense doesnt have a PFBlockerNG like plugin yet, which can be a big decision maker for some people who want to be able to create lists of IPs to block on the firewall.

K then, preliminary code differences section, here we come:

Comparing roadmaps might help:

• https://opnsense.org/about/road-map/
• https://redmine.pfsense.org/projects/pfsense/roadmap

pfSense has the PFBlockerNG plugin, not OPNsense. Reverse the yes/nos.

I run pfsense. As a corporate type, i’m also looking to roll it out in various places (in lieu of cisco ASAs or Palo Altos for smaller deployments at this stage) and having a company behind it that can sell fully supported hardware (or a support subscription for third party hardware) is a big plus.

Open source is all well and good, but having someone you can have on file for the company to call, who is paid to pick up the damn phone if you get hit by a bus or take a holiday or whatever is a big plus - and worth more to a lot of businesses than minor technology advancements.

Both Netgate and Deciso offer support for pfSense and OPNsense respectively.

• https://www.netgate.com/support/
• https://www.deciso.com/business-support/

I could add a Support section, but that’s going to be difficult to objectively compare except in terms of price. Even then, I don’t know if the support packages are really analogous.

Both Netgate and Deciso charge upfront for a minimum of 1 year, but the Netgate pricing structure is far more complex with three tiers and discounts for multi-year purchases and for bundling with Netgate hardware.

Deciso does offer two other tiers, but they are meant for “integrators” and “resellers”, so my understanding is that their “business” support is what should be compared to Netgate’s offerings.

Do note that, the Netgate plan comparison page is showing the price for a discounted three year subscription. The one and two year plans will be more expensive. It also seems a bit deceptive to me to list monthly price in large font, when you don’t charge a by the month.

Fixed.

Does pfSense have a patron? I understand that programers need to eat too. Though I like that more projects are hopping on Patreon, like Solus and Mate. It’s really helping them flourish.

Netgate/Rubicon Communications LLC/Electric Sheep Fencing LP own the trademark and run the pfSense website. Both they and NYI are listed as “patrons” of the project on their pfSense Patrons page.

This seems comparable to how Deciso owns the trademark and runs the OPNsense website. It is listed as “partner” along with others on the OPNsense Partners page.

While pfSense doesn’t say how much of a contribution is needed to be a “patron”, OPNsense partnership “means a minimum annual investment of € 2500”.

Edit: Oh, you were asking about Patreon, as in donations.
Well, on that front, pfSense no longer accepts donations.
For comparison, OPNsense does accept donations.

Thanks for that.

This is a problem for some of the clients I have pfsense setup at. Support times from Netgate are so bad that they want to move to Cisco or someone else. I think the best time we got from them is about 6 hours of waiting time. But since they dont have Cisco money (or even Ubiquiti money), they put up with it for now.